SecurityXploded.com
SecurityTrainings
Mailing List Join us on Google+ Twitter facebook RSS Feeds
Exposing the Outlook Password Secrets - www.SecurityXploded.com
 
 
Exposing the Outlook Password Secrets
 
 
 
See Also
 
 
 
Contents
 
 
 
About Outlook & Password Recovery

Microsoft Outlook is the popular email client used within the enterprises worldwide. It provides multiple type of email configuration including Exchange Server, POP3, IMAP, HTTP etc.


Like many applications, Outlook also stores the account password for subsequent logins when user selects the 'Remember Password' option during authentication. The password is stored in the encrypted format and only corresponding user can decrypt the password.

Different versions of Outlook store the password at separate locations using distinct encryption methods.


This research article throws light on uncovering the password stored by different version of Outlook on different platforms.

 
 
 
Recovering Passwords from Outlook 2002-2013
All versions of Outlook starting from 2002 to latest version 2010, store the passwords (other than exchange server) for various email account such as POP3, IMAP, SMTP, HTTP at following registry location.
 
[Windows NT onwards]
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

[Prior to Windows NT]
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles
 
Latest Outlook 2013 (version 15.0) stores the account configuration along with encrypted password at following location
 
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
 
Outlook stores other information related to configured email account such as Email Address, User name, Server etc along with password at this location.

Here is the screenshot of IMAP/SMTP account stored for sample outlook profile
 
Outlook Registry Password Location
 
As shown in the above screenshot different type of accounts (IMAP/POP3/SMTP/HTTP) uses different registry 'Value Name' to refer to username, password, server information etc.

Here is the table which summarizes these registry value names for all type of email account configurations used by Outlook.
 
  Username Password Email Address Server Port
IMAP IMAP User IMAP Password Email IMAP Server IMAP Port
POP3 POP3 User POP3 Password Email POP3 Server POP3 Port
HTTP HTTP User HTTP Password Email HTTP Server URL N/A
SMTP SMTP User SMTP Password Email SMTP Server SMTP Port
 
 
Except the password, all the other information is stored in clear text in unicode format. Password is encrypted and has following structure.
 
   struct OutlookPassword
  {
    BYTE byteEncType;
    BYTE *encPassData;
  };
 
The byteEncType indicates the encryption mechanism used for storing the password. Here are possible values for byteEncType

1 => Windows Protected Storage
2 => New Windows Cryptography Method
 
Newer versions (2002-2013) of Outlook uses 'Windows Cryptography' methods to encrypt the password when Outlook is running on Windows NT platform. For older platforms it uses the 'Windows Protected Storage' mechanism. The method for decrypting protected storage based passwords is mentioned the in the below section on older Outlook version.

Once the password value is read from the registry, decrypting it is plain task. As mentioned above, make sure that first byte contains value 2 pointing to newer method of encryption. In that case, encPassData value contains the actual encrypted password data which can be decrypted using CryptUnprotectData function as shown below
 

 DATA_BLOB DataPassword;
 DATA_BLOB DataOutput;

 DataPassword.cbData = <length of password data>
 DataPassword.pbData = (BYTE *) outlookPassword->encPassData;

 if( CryptUnprotectData(&DataPassword, 0, 0, 0, 0, 0, &DataOutput) )
 {
    printf("Found the Outlook Password %S ", DataOutput.pbData);
 }
 
The above code snippet takes the encrypted password data and length to form the DATA_BLOB parameter. Then it is passed on to CryptUnprotectData function to decrypt the password and the clear text password is stored in the DataOutput parameter on successful execution.
 
 
 
Recovering Exchange Server Passwords from Outlook 2002-2013
Newer Outlook version (2002-2013) uses the 'Credential Store' to store the 'Exchange Server' passwords. It provides more secure mechanism for storing and retrieving the password than the older 'Protected Storage' format. This mechanism is mainly used by Windows to securely store network login passwords.

Here are the locations of credential files used by 'Credential Store' to store the encrypted passwords on various platforms.
 
 
For Windows XP
On Windows XP, the encrypted user credentials are stored in the hidden file called 'Credentials' inside both APPDATA and LOCALAPPDATA locations mentioned below.
   [APPDATA Location]
   C:\Documents and Settings\<username>\Application Data\Microsoft\Credentials\<user sid>\
        
   [LOCALAPPDATA Location]
   C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft
   \Credentials\<user sid>\ 
 
 
For Vista/Windows 7/Windows 8
Vista onwards, the user credentials are stored in the multiple files with random name (generated using GUID) inside both APPDATA and LOCALAPPDATA locations mentioned below. (There will be separate credential file for each of the network accounts)
   [APPDATA Location]
   C:\Users\<username>\AppData\Roaming\Microsoft\Credentials\
        
   [LOCALAPPDATA Location]
   C:\Users\<username>\AppData\Local\Microsoft\Credentials\ 
 
For further details on decrypting the exchange server password protected by 'Credential Store' refer to the 'Recovering Domain Network Password Section' of 'Exposing Secrets of Network Passwords' article [Reference 1].
 
 
 
Recovering Passwords from Outlook Express, 98 & 2000 Version
Older versions of Outlook (Outlook Express, 98, 2000 etc) stores the Email configuration information along with encrypted password at following registry location,
 
[For Outlook installed in Internet Mail Only Mode Configuration]
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

[For Outlook in normal mode]
HKCU\Software\Microsoft\Internet Account Manager\Accounts
 
Here Outlook stores all the email configuration details such as Email Address, User name, Server etc along with encrypted password. Unlike new Outlook version, older ones stored password for all type of accounts including 'Exchange Server' in the 'Windows Protected Storage'.

However the storage format in the registry is similar to new Outlook versions with the slight change in the registry value names. Here is the table which summarizes various registry value names for different type of email account configurations used by older Outlook versions.
 
  Username Password Email Address Server Port
IMAP IMAP User Name IMAP Password2 SMTP Email Address IMAP Server IMAP Port
POP3 POP3 User Name POP3 Password2 SMTP Email Address POP3 Server POP3 Port
HTTP HTTPMail User Name HTTPMail Password2 SMTP Email Address HTTPMail Server N/A
SMTP SMTP User Name SMTP Password2 SMTP Email Address SMTP Server SMTP Port
LDAP LDAP User Name LDAP Password2 N/A LDAP Server N/A
 
 
The encrypted password is in below format (same across all Outlook versions)
 
   struct OutlookPassword
  {
    BYTE byteEncType;
    BYTE *encPassData;
  };
 
Since older versions use 'Protected Storage' method, the byteEncType is always set to 1. Also the encPassData value actually points to 'password item name' in the Protected storage. While enumerating protected storage passwords, this item name can be used to match with corresponding Outlook account password.

The complete program to enumerate and decrypt 'Protected Storage' passwords is shown in the 'Exposing Secrets of Internet Explorer' article [Reference 2]. Here additional check needs to be performed for comparing it with Outlook item names retrieved from the registry so as to recover only Outlook based passwords.
 
 
 
Outlook Password Recovery Using OutlookPasswordDecryptor
Outlook Password Decryptor is the FREE tool to instantly recover lost password for all versions of Outlook Application.
 
OutlookPasswordDecryptor
 
OutlookPasswordDecryptor works on wide range of platforms starting from Windows 2000 to Windows 8. It also support password recovery of passwords from all versions beginning with Outlook Express to latest version, Outlook 2013.
 
 
 
References
  1. Recovering Domain Network Passwords from 'Credential Store'
  2. Decrypting Passwords from 'Protected Storage'
 
 
 
See Also